FunctionConstructor

(legacy labels: Attack-Vector)

Function constructor accessible via the 'constructor' property

Effect

Execution of unsanitized code in the global scope

Background

As discussed at http://code.google.com/p/google-javascript-type-system/issues/detail?id=2 the Function constructor allows for execution of unsanitized code.

EcmaScript 262 section 15.3.4.1 Function.prototype.constructor

The initial value of Function.prototype.constructor is the built-in Function constructor.

Assumptions

The Function constructor has not been replaced with something innocuous.

Versions

All

Example

((function () {}).constructor)(
    'alert("document.cookie = " + document.cookie)')()

Uh oh!

FunctionConstructor

Function constructor accessible via the 'constructor' property

Effect

Background

Assumptions

Versions

Example

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!